Overview

Walking into the ISACA Sydney Chapter Conference as “the student voice”, I knew I was surrounded by some of the heaviest hitters in cyber, audit and technology leadership. My job for the day was simple but huge: ask the questions students and early-career professionals are scared to ask and bring those answers back to our community.

By the end, one theme kept looping in my head: it’s not enough to just be “technical” anymore. Everyone I spoke to blended risk, business, people and tech in a way that felt very future-ready without losing sight of the basics.

Here’s what I learned, straight from the leaders I interviewed.

“Future-ready” isn’t just a buzzword

ISACA Sydney Chapter President Chirag Joshi set the tone for the whole day when I asked him to “set the scene” for the conference.

He broke it down into three pillars the community is rallying around: ambition, execution, and impact all pointing to one outcome: being future ready. The theme, “assurance and innovation”, wasn’t accidental.

“For us to innovate responsibly, we need assurance but assurance itself also has to be innovated,” he explained, emphasising that assurance and innovation now go both ways.

This wasn’t just a Sydney event either. Chirag reminded me it was a showcase for the wider Oceania community, with representation from Australian and New Zealand chapters, and a strong focus on strategic communication not just frameworks and tools.

He also called out three groups very clearly:

• Volunteers – who put the whole conference together and helped grow the chapter to over 2,000 members in under six months.
• Women in leadership, especially through SheLeadsTech, as a way of “walking the talk” on inclusion.
• Students and interns, who “double up as volunteers” and are seen as the future with real pathways via scholarships and internships, not just nice words.

As a student, it was kind of wild to realise I wasn’t just there to observe. I was part of the community they’re actively building around us.

When I sat down with Jamie Norton, Board Director, ISACA, we went straight into the deep end: how the expectations of CISOs have shifted over the last decade especially with AI in the mix.

From his view, AI has turbo-charged innovation, but it’s also become fundamental to security, especially around governance and keeping governance ahead of the tech curve. The tricky part? Australia doesn’t yet have a single, well-defined national AI framework everyone can default to. There are emerging government guidelines, but organisations are still split between those who want regulation for guardrails and those who worry it will constrain them. For students who want to aim at executive roles, Jamie’s advice was very clear:

• Don’t run away from technical skills, even if you’re not “under the hood” level.
• Learn the language of risk and what it means for the business.
• Be able to bridge technical and business worlds and build a narrative that makes sense in the boardroom.

He also called out one classic junior mistake when trying to sound “strategic”:

Early-career analysts often go too technical and lean hard into jargon in executive conversations then the CISO must jump in and translate. It was a good reminder: you can know the tech, but if you can’t explain the risk, you’ll hit a ceiling fast.

Talking to Jo Stewart-Rattray, Oceania Ambassador, ISACA about women in cyber felt like getting a reality check wrapped in encouragement.

“You can’t be what you can’t see”

She’d just come back from ISACA global leadership in London, where all the women in chapter leadership were called on stage:

“They overflowed the stage,” she told me, which is a huge change from when she started when there were only a handful of women in those roles.

But she didn’t sugar-coat it. Yes, numbers are improving. No, we’re not there yet. Women are still under-represented in cyber.

When I asked why the numbers are slowly climbing, she dropped a line that will probably stay with me forever:

“You can’t be what you can’t see.”

Seeing other women not just at the very top, but progressing steadily through their careers gives others permission to step up too.

Jo also challenged the Instagram version of cyber:

• Cyber is not as “groovy” as people think. It’s hard, stressful work.
• You might end up realising you love something like end-user computing or one-to-one roles more, and that’s okay.
• Spending time in places like the service desk can give you a real feel for user mistakes, pain points and what people actually need before you jump into cyber roles.

On mentoring, she was very honest. Not every mentor pairing works, especially when programs try to match people “by algorithm”:

It’s a bit like online dating – there has to be real compatibility and trust, and it’s okay to say “you’re not the right mentor for me.”

Her own mentor of 10+ years was “brutally honest” – the kind who would call out, “Have you heard what you just said?” and force real reflection. Tough love, but paired with genuine care.

With Natasha Passley, Senior Managing Director – Cybersecurity, at FTI Consulting, my favourite part was how non-linear her journey was. She started with a degree in German and French, not computer science. Her first role was on a European technical help desk, where she gained her technical skills, before achieving a master’s in information systems. Working in the banking sector, she moved into compliance driven technology delivery before eventually risk and cyber.

Now she advises boards and execs across all sectors on cyber risk , strategy, resilience and compliance but the questions they ask her are surprisingly consistent:

• “How do we prevent this from happening to us?
• “How do we compare to our peers?”
• “After all this investment, how much risk have we actually reduced?”

When we got onto graduates, Natasha made two big points that I think a lot of us need to hear:

• Governance, risk and compliance (GRC) is just as important as the traditional, technical skills of cybersecurity. These skills are equally important to be able to talk in business terms and to ensure the tech investments you make aren’t just shelfware.
• The standout trait in grads isn’t a specific certification – it’s proactivity. The ones who raise their hand after finishing a task, ask for more, or just come and have a conversation, end up far more visible.

For anyone considering consulting early in their career, Natasha also made the case that it’s actually a great place to start if you want variety and exposure to different sectors and problems.

From there, Vanessa Gale, Head of Identity & Access Management, Latitude Financial Services reinforced something I heard all day: culture change in cyber works best when it starts at the grassroots, not just top-down. She highlighted how people-first approaches in org change and M&A are getting better traction than “thou shall be secure” pushed from above.

Her own path into cyber risk and assurance started in environmental engineering, which again hammered home that risk thinking is a transferable muscle, not a degree-locked option.

When I asked how she’d build an IAM program from scratch using graduates, she didn’t start with tools or platforms. She started with:

• Understanding the business and where IAM fits.
• Being able to write a good email and communicate clearly.
• Getting to know your stakeholders.
• Time management and prioritisation.

Basically: before you touch the fancy IAM suite, learn how to be a reliable human in a real organisation.

Talking with May Lam, CIO at Australian Payments Plus (AP+), shifted the conversation from personal careers to something much bigger: Australia’s payment sovereignty.

She reminded me that AI isn’t new – she was already studying expert systems at uni in the 90s – and that today’s landscape spans everything from machine learning and deep learning to generative and “agentic” AI.

From a CIO lens, she broke responsible AI down into three pillars:

1. Corporate strategy first – “there is no AI strategy without corporate strategy.”
2. Data governance – “no data, no AI” – strengthen the core before chasing shiny tools.
3. Ethics – tech changes, ethics don’t.

On payments, she raised a point I honestly hadn’t thought deeply about: every time we tap via big-tech wallets and international schemes, we’re quietly exporting slices of Australia’s GDP. That’s why AP+ thinks so much about open ecosystems, competition and keeping capability onshore.

When I asked about cybersecurity’s role in all of this, she didn’t hesitate:

Cybersecurity is the invisible backbone – the licence to operate. Trust takes years to build and seconds to lose.

For those of us thinking about careers in financial services or critical infrastructure, that sentence alone is a whole thesis.

When I asked Brahman Thiyagalingham , CISO at GME on what’s driving the biggest shift in how organisations approach security today, he said something that instantly stuck with me:

“We’re realising there are far more variables influencing business outcomes than we ever accounted for.”

He compared it to high-school formulas where everything is “held constant” until you step into the real world and nothing is constant anymore.

On the hype cycles like AI, he summed it up perfectly:

“Everyone feels like they need to jump on the latest and greatest, but the real challenge is understanding what actually matters to the organisation.”

A lot of us bring our own ideas of “what good looks like” from past roles or labs, but Brahman pointed out that consultants and in-house teams often operate differently which essentially points to context matters more than textbook security.

Drawing from his time working with safety-critical engineering teams, he highlighted the value of rigour:

“You still need clear requirements, design, testing, and a plan for how the system will be used safely and securely.”

Even in agile environments, he said it’s still essential to come back and check: Does the thing we built actually do what it’s meant to do?

When I asked how graduates can balance business and technical skills, he kept it simple:

“Start with solid technical foundations. Then learn the language of business.”

He shared that he’d done four years in pure tech before realising he couldn’t “speak business”, so he pursued a Master of Business Technology where he learnt the two questions he still uses today:

• So what?
• Who cares?

Finally, I asked him how he’d test a graduate in 10 minutes.

No tools. No frameworks. Just thinking.

“I’d give them a scenario and look at their curiosity and approach. That matters more than technical perfection.”

And honestly? He’s right, your mindset will take you further than your ability to memorise a toolset.

My final conversation of the day was with Garry Barnes, Practice Lead, Governance Advisory at Vital Advisory, and it took us back to audit basics that honestly feel more relevant than ever.

When I asked what core principles in audit have never changed, he went straight to one:

“Security must stay connected to the business purpose. The business exists to achieve something; security is there to enable that – especially in a digitised world.”

Then he added a phrase he’s been using for about 25 years:

“People before process before technology.”

People do the work. Processes should support them. Technology should support both – not make their lives harder just because there’s an external threat and we panic-add controls.

He also challenged a very common pattern he sees in cyber: focusing on “assets” as if that’s the whole story. In his view, value is what matters – the services and outcomes those assets enable, and how they support the business’ purpose.

For students and grads, Garry suggested starting with simple but powerful questions:

• Why does our business exist?
• What must we do well to succeed?
• How much security is enough?
• What risks are we willing – and not willing – to take?

He pointed out that most organisations, whether they’re in education, health, banking or hardware, follow a similar value chain: they design something, build it, distribute it and then manage it. If you understand that chain, you can see exactly where security needs to be embedded – especially in design, build and deploy.

What this all means if you’re early in your cyber journey

Walking out of ISACA Sydney, my notebook (and honestly my brain) was overflowing. But if I strip it down to the things that really matter for students and early-career folks, it looks like this:

• Blend tech with business and risk. Everyone from Jamie to Natasha to Chad talked about risk, value and decision-making – not just tools.
• Get comfortable translating. Whether it’s IAM, payments, or incident response, the leaders I spoke with are constantly turning technical reality into business language.
• Don’t underestimate “soft” skills. Jo, Vanessa and Natasha all hammered communication, stakeholder skills, mentoring and attitude. Those are not optional extras.
• Be proactive and visible. Put your hand up. Ask better questions. Talk to senior people like they’re human (because they are).
• Use communities like ISACA. From SheLeadsTech to internships and global chapters, it’s literally built to give students a platform and a network.

Most of all, the day reminded me that cyber isn’t just about defending systems, it’s about enabling trust, value and opportunity for real people. And for those of us just starting out, that’s the exciting part.